CC details fully decryptable too, since they store the key in the config file
We just bought WHMCS last month and started Plesk on it, and from the start we deployed ours differently, it is amazing that they ran everything on a single server, license verify, tickets, billing, website etc just amazing.
Note however that it was not via WHMCS itself, but by incredibly insecure practices by their host and owner that lead to this.
We had tried a couple other automation systems before launching plesk, and another coming product, but they just did not work well, WHMCS is not perfect either, but it did better in most regards than others.
I hope that this incident, the 2nd in 6 months, will change their first focus to security, of their setup and hosting infrastructure, and of their product.